Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Fredrik_Lautrup
Employee
Employee
‎2014-01-07 04:46 AM

Authentication and Authorization

Authentication and Authorization are two important concepts in securing any application.  Let’s start with some simple definitions.  Authentication makes sure that the person accessing the system is the person he says he is.  Authorization only lets you access information and complete actions that you are allowed to, based on your identity.

In QlikView, these are two distinct activities performed independent of each other.  This often creates some confusion and configuration errors, so let me explain how it works.  When a user gets access to QlikView it is always done in these four steps:

Flow.png

One of the most common misunderstandings around this is what services are part of what step in the process.

The first two steps covering authentication are handled by the web layer (i.e. QVWS or IIS).  The third step is achieved by the web layer transferring the identity to the QlikView Server using the QVP protocol.  The fourth step is authorization and is handled by the QlikView Server using groups resolved by the Directory Service Connector.

There are some big benefits to this approach:

  1. QlikView does not have to store passwords; these are stored by an identity provider such as LDAP or AD.
  2. Normal procedures for user management can be applied, which enables that adherence to security policies are maintained.
  3. It is possible to customize authentication without affecting authorization, which gives us the option to use external identify providers such as Google and Salesforce.
  4. All Authorization is done in the backend, making it easier to protect.

The role of the Directory Service Connector in the flow is somewhat blurred by the fact that almost all QlikView components use it. The web layer, QlikView Server, QlikView Management Service, and the QlikView Publisher all use the Directory Service Connector for different things.

Most QlikView components use the Directory Service Connector for authorization or to get information about users except if custom users are used.  If you use custom users, these  get authenticated towards the Directory Service Connector, which in this special case stores identity and passwords for the users.

Achitecture.png

Remember, as a rule of thumb: the front end components handle authentication and the backend components handle authorization.  I hope this help gives you a clearer picture of how QlikView handles authentication and authorization and which components are used in which part of the flow.

Have further questions you’d like me to answer?  Leave me a comment!

35,702 Views
38 Comments
Not applicable
‎2015-07-23 10:22 AM

Thank you, It works!

I've another question, what should I do to achieve the same result on mac os?

0 Likes
380 Views
Anonymous
Not applicable
‎2015-08-21 07:22 AM

have you review the following post?

An introduction to QlikView Security using Web Tickets

0 Likes
380 Views
Bill_Britt
Former Employee
Former Employee
‎2015-09-04 02:41 PM

HI,

You cannot use webticketing and SBE.

Bill Britt

Designated Support Engineer

Email: support@qlik.com<mailto:support@qlik.com>

qlik.com<http://www.qlik.com/>

<http://www.qlik.com/us/explore/products/sense/desktop?SourceID1=Corporate_Email_Signature>

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.

0 Likes
380 Views
qlikviewwizard
Master II
Master II
‎2015-09-07 04:35 AM

Hi Fredrik, Thanks for sharing this useful information.

0 Likes
380 Views
Not applicable
‎2016-06-07 01:26 AM

Hi Fredrik,

We are looking to use our business Google account to have SSO with Qlik Sense enterprise.  Would you be able to help?

Thanks,

Dan

0 Likes
380 Views
Not applicable
‎2017-04-20 03:23 PM

Hello Fredrik I have a simple requirement, in a Qlik server we need the authentication of a user that is in a domain other than the usual one by LDAP, the license assignments were successful, that is to say that it recognizes the user and the domain. But when I try to access the access point is not possible, do you know any answer to this case?

0 Likes
380 Views
Bill_Britt
Former Employee
Former Employee
‎2017-04-24 09:46 AM

Hi,

You will need either a two way trust between the domains or setup SSO.

Bill

0 Likes
365 Views
rsdhavle
Creator II
Creator II
‎2019-04-16 07:01 AM

Is there any way to perform authorization through other system as in if we maintain security data in one system and can we link that with Qlik so that while entering onto access point or hub, data will get filtered for a particular user and can only see that much data when any application is accessed

0 Likes
341 Views
Subscribe by Topic